'Aggressively non-regulatory' NIST offers a cyber helping hand

The tidal wave of cyberattacks and electronic snooping by criminals and other bad actors threatens the commercial and government sectors. Both could learn to navigate that wave, but they have to coordinate their courses.

Charles Romine, director of the National Institute for Standards and Technology’s Information Technology Laboratory, said his organization is uniquely positioned to help both embattled parties.

“We’re aggressively non-regulatory,” Romine in opening remarks at the 2015 Cybersecurity Innovation Forum in Washington, D.C., on Sept. 9. The forum gathered hundreds of federal and private industry attendees to talk cyber defense technologies, strategies and policy.

What Romine meant was that NIST and the ITL can aid private-sector firms in developing ideas and technical frameworks to come up with innovative technologies that both commercial companies and federal agencies might be able to use.

“We can’t compel industry to do anything,” he said. But, far from making the agency impotent, he said the non-regulatory stance is an “amazingly powerful” tool that can bring industry and government together on real-world approaches and solutions. He pointed to NIST’s close work with industry in developing the Advanced Encryption Standard and the Risk Management Framework over the years as evidence of its effectiveness.

Romine called on attendees to collaborate with NIST on finding more effective solutions to the surging, changing wave of cyberattacks on federal agencies and companies.

Industry is receptive to NIST’s approach, but one of the experts speaking at the conference urged some caution in dealing with the government on sharing threat information.

“Cybersecurity cuts across Wall Street and Main Street,” Zulfikar Ramzan, chief technology officer at RSA, said in his keynote address. Building cyber protections into business operations, including those of critical infrastructure companies like banks and energy corporations, requires collaborating with the federal government on how to protect commercial networks is crucial, he said.

However, too much reliance on the federal government to prevent cyberattacks on the private sector can “lead to a sense of helplessness” about how to stop or recover from an attack, he said.

Commercial industry, he said, ultimately has to take responsibility for its own network protections and response. “The elephant in the room” when it comes to government/commercial industry collaboration, he said, “is a lack of trust” that is rooted in undefined rules and responsibilities.

To be most effective, he said, companies have to set internal parameters and take stock of realistic protection capabilities. Government, he said, can share critical details with industry about the source of attacks and the threat environment, while offering advice on the best protective measures.

Commercial industry, he said, can develop technology and drive rapid innovation to counter threats. It can also be a more active participant in cyber strategy and policy debates.